A port scanner is software that can be used to check which services a system that works with TCP or UDP is offering via the Internet protocol . The port scanner relieves the user of the work of examining and interpreting the response behavior of a system himself with a sniffer .
Port scanners often also offer additional functions such as operating system and service detection, although these have nothing to do with the actual port scanning.
TCP-connect () - scan
This is the easiest scanning method. The port scanner uses the connect () system call for the port scan. The operating system then takes over the actual connection establishment. If the system call was successful, the port is open. The connection is then immediately closed again with close (). If the connection could not be established, the port is closed.
The very simple programming is advantageous with this method. Since the connect () command is available on almost every system, a connect () port scanner is very portable. Special rights are usually not required. Since the connection is fully established if successful, it usually appears in the log files of the services.
TCP SYN scan
With the TCP-SYN scan, a TCP packet with the SYN flag is sent to the target host in order to simulate a connection attempt. The host's response provides information about the port: If it sends a SYN / ACK packet, the second part of the three-way handshake from TCP , the port accepts connections and is therefore open. The source host then usually replies with an RST packet to clear the connection again (this is usually not done by the port scanner, but by the operating system, since no connection attempt was officially made). If the host sends an RST packet , the port is closed. If the destination host does not send a packet at all, a packet filter is connected upstream.
This type of scan is also known as a stealth scan, since TCP implementations do not inform the associated service if connections are not fully established. This means that it does not generate any log data for attempted connection establishment or does not notice anything from the scan. The SYN scan is therefore invisible from the application point of view. However, this does not apply to the network level: Firewalls or intrusion detection systems still recognize this type of scan and can block it if necessary with the help of the port knocking process, in which the port is only opened after a pre-agreed packet sequence has been received.
System administrator rights are also required on most source systems because TCP packets have to be handcrafted by the port scanner.
TCP SYN scans can be used for denial of service attacks in the form of SYN floods .
TCP-FIN / Xmas / Null-Scan
These methods do not establish a connection, but rather examine the behavior of subsequent packets. If a port is open, the subsequent packets should be ignored as they do not belong to an existing connection. If the port is closed, a reset packet should be sent.
Which flags are set exactly depends on the type of scan:
|Xmas||FIN, URG, PUSH|
This scan is carried out through a middleman called a zombie. The idlescan is currently the only known scanning method in which the scanned host cannot draw any conclusions about the scanning host, since it only believes to see packets from the zombie.
To be suitable as a zombie host for the Idlescan, it must meet the following conditions:
- The zombie host must be able to receive packets from the target
- The IPID (IP Identification Number, part of the IP header ) must be predictable for the port scanner.
The predictability of the IPID results on the one hand from the fact that most operating systems use a system-global counter for the IPID, which is increased by a certain value whenever the system sends a self-generated packet. The values vary depending on the operating system and are typically 1, 4 or 8. In addition, for predictability it is important that the zombie itself ideally does not generate any IPID-changing packets, i.e. the system is idle - hence the term idle scan.
Surprisingly, routers are very suitable as zombies, as they normally only pass packets through (their IPID does not change), but do not participate in network traffic themselves.
For the actual scan, the port scanner needs the current IPID of the zombie. To find out the IPID, e.g. B. simply sent a TCP connection request (SYN) to him. The zombie replies SYN | ACK or RST, the reply packet contains the current IPID (2).
For the actual port scan, the attacker sends a spoofed SYN packet to the target (3). The attacker sets the IP address of the zombie host as the source IP address. If the port is open, the target sends a SYN | ACK packet to the zombie (4a). Since he has not opened a connection, the zombie sends an RST packet to the target (4a). Assuming that the zombie always increments the IPID by the value one, the following applies: this reset is sent to the target with an IPID + 1. If the port is closed, the target sends an RST packet to the zombie (4b). This package is simply ignored by the zombie. Now the attacker asks for the current IPID (5) in the same way as at the beginning. If the IPID has increased by 2 (1 packet to the target + 1 packet to the attacker), the port is open. If the IPID is only 1 higher (only 1 packet to the attacker), the port is closed (6).
A direct scan of UDP ports is not possible because the protocol works without a connection . A scan is still possible via a detour. To do this, an empty UDP packet is sent to the relevant port. If a UDP packet also comes back, the port is open. If there is no answer, the port is either closed or filtered. If a "Port Unreachable" error message is received, the port is closed. On most systems, the output of ICMP error messages is throttled in order to prevent a denial-of-service attack. Therefore, UDP scans are mostly time consuming.
FTP bounce scan
In an FTP bounce scan, the attacker needs an FTP server that allows the PORT command. The attacker can use the PORT command to transfer the IP address of the victim and a port to be checked. If the FTP server can establish a connection with the transferred data, a service runs on the port, which the server announces to the attacker. This variant of FTP was originally intended to be able to easily copy files between servers. The attacker remains invisible to the victim because a direct connection between the victim and the attacker never has to be established.
The additional functions mentioned above, such as OS fingerprinting (recognition of the operating system) and service recognition, for which z. If , for example, the port scanner nmap is known, strictly speaking, port scans are no longer and their use can be problematic not only because of the risk of a crash at the destination that cannot be completely ruled out.
The legality of port scans is controversial as they can be seen as the first instance of an intrusion attempt. In any case, use on your own systems is legal. The legal situation for port scans against third-party systems and networks is less clear. Since, for example, sensitive computers can be disturbed by many connection requests, this can be seen as an attack on the availability of a system and, in Germany, punished by Section 303b of the Criminal Code ( computer sabotage ). The SANS Institute also confirms the dichotomy between port scans in a publication.
Port scanners are currently not viewed as a computer program for spying on data according to § 202c StGB ( hacker paragraph ), as they cannot circumvent security mechanisms or intercept data, but depending on the case are viewed as preparation for an attack and legally treated accordingly.
Easy implementation of a port scanner
The following command can be used to search for open TCP ports on a Unix-like system with the Netcat program .
$ nc -vz $zu_scannender_host 1-65535
Well-known port scanners
- Nmap (Unix / Windows / Mac)
- netcat (Unix)
- Scanmetender (Windows and GNU / Linux)
- Blue's Port Scanner (Windows)
- Superscan (Windows)
- Unicornscan (Unix)
- ZMap (Unix)
- scanrand (Unix)
- Angry IP Scanner (Unix / Windows / Mac)
- iNet Network Scanner (Mac / iOS)
- ↑ The Ethics and Legality of Port Scanning (English)